U.S. Department of Energy ORDER
Washington, D.C. DOE 5630.16A
6-3-93
SUBJECT: SAFEGUARDS AND SECURITY ACCEPTANCE AND VALIDATION TESTING PROGRAM
1. PURPOSE. To establish policy, requirements, and responsibilities for a
Safeguards and Security Acceptance and Validation Testing Program that
encompasses systematic processes for demonstrating the adequacy and
functional reliability of critical system elements and/or total systems
employed to meet safeguards and security protection needs.
2. CANCELLATION. DOE 5630.16, SAFEGUARDS AND SECURITY PERFORMANCE TEST
PROGRAM, of 8-25-92.
3. APPLICATION TO CONTRACTS. The provisions of this Order apply to all
Departmental elements and covered contractors to the extent implemented
under a contract or other agreement. A covered contractor is a seller
of supplies or services involving access to and protection of
classified information, nuclear materials, or other safeguards and
security interests under a procurement contract or subcontract.
4. EXCLUSIONS. This Order does not apply to unclassified computer
systems, TEMPEST, communications security, or sensitive compartmented
information facilities which are covered by DOE Orders 1360.2B,
5300.2D, 5300.3C, and 5639.8, respectively. DOE facilities and
activities regulated by the Nuclear Regulatory Commission (NRC) are
exempt from the requirements of this Order. Office of Civilian
Radioactive Waste Management (RW) personnel and activities not directly
associated with the NRC licensed facilities and thus not covered by the
NRC directives are subject to the provisions of this Order.
5. REFERENCES AND DEFINITIONS. See Attachment 1.
6. POLICY.
a. The adequacy of new and existing safeguards and/or security
systems to perform or accomplish the intended purpose shall be
confirmed through an acceptance and validation testing program
prior to operational use and periodically thereafter.
b. Safeguards and security acceptance and validation testing programs
implemented under this Order shall be formalized and documented.
c. DOE elements and DOE covered contractors are required to ensure
that safeguards and security measures implemented under their
cognizance meet established requirements for reliability,
operability, readiness, and performance.
d. The provisions of this Order shall be fully implemented by
8-25-95.
7. RESPONSIBILITIES.
a. Secretarial Officers shall ensure the provisions of this Order are
implemented for programs over which they have responsibility.
They shall:
(1) Clearly establish the criteria for taking necessary action,
as circumstances and policies indicate, including curtailment
or suspension of operations when such operations would result
in an immediate and unacceptable risk to national security
and/or the health and safety of employees or the public. If
these authorities are delegated, such delegations shall be
clearly established in writing, and shall be kept current.
(2) Ensure that corrective actions for deficiencies identified by
the testing program at facilities under their administrative
jurisdiction are implemented.
(3) Ensure an individual(s) is designated to be responsible for
bringing to the attention of the contracting officer each
procurement falling within the scope of this Order. Unless
another individual is designated, the responsibility is that
of the procurement request originator (the individual
responsible for initiating a requirement on DOE F 4200.33,
"Procurement Request Authorization").
(4) Require covered DOE contractors to develop, implement, and
manage a comprehensive safeguards and security acceptance and
validation test program in accordance with provisions of this
Order.
b. Director of Security Affairs (SA-1) shall provide management
direction and coordination in the development, implementation, and
oversight regarding safeguards and security acceptance and
validation testing.
c. Director of Safeguards and Security (SA-10) shall:
(1) Develop and provide Departmental policy and guidance
regarding safeguards and security acceptance and validation
testing.
(2) Ensure the development of the Headquarters Safeguards and
Security Validation Test Program Plan for Headquarters
safeguards and security program interests in accordance with
this Order.
(3) Ensure the development of an implementation plan for full
compliance with the requirements of this Order for
Headquarters activities.
d. Deputy Assistant Secretary for Security Evaluations (EH-4) shall
independently inspect and evaluate the degree of adherence by
Departmental elements to DOE policies and requirements relating to
the content, conduct, and results of the safeguards and security
acceptance and validation testing program.
e. Director, Naval Nuclear Propulsion Program (NE-60) shall, in
accordance with the responsibilities and authorities assigned by
Executive Order 12344 (statutorily prescribed by Public Law 98-525
(42 U.S.C. 7158, (note)) and to ensure consistency throughout the
joint Navy/DOE organization of the Naval Nuclear Propulsion
Program, implement and oversee all policy and practices pertaining
to this Order for activities under the Director's cognizance.
f. Heads of Field Elements, except the Administrators of the Power
Marketing Administrations, shall:
(1) Establish written delegations of authorities and
responsibilities, as well as reporting requirements, for the
administration of the safeguards and security acceptance and
validation testing programs.
(2) Ensure the development and approval of safeguards and
security acceptance and validation test program plans in
accordance with this Order.
(3) Develop and recommend budgets and related resources to the
cognizant Secretarial Officer for providing support to the
testing program.
(4) Ensure that corrective actions for deficiencies identified by
the testing program are documented, prioritized, and
implemented.
(5) Take action, as circumstances and policies indicate,
including curtailment or suspension of operations when such
operations would result in an immediate and unacceptable risk
to national security and/or the health and safety of
employees or the public.
(6) Designate an individual(s) to be responsible for bringing to
the attention of the contracting officer each procurement
falling within the scope of this Order. Unless another
individual is designated, the responsibility is that of the
procurement request originator (the individual responsible
for initiating a requirement on DOE f 4200.33, "Procurement
Request Authorization").
(7) RequIre covered DOE contractors to develop, implement, and
manage comprehensive safeguards and security acceptance and
validation test programs in accordance with provisions of
this Order.
(8) Serve as approval authority for safeguards and security
validation test program implementation plans submitted by
subordinate organizations.
g. Administrators of the Power Marketing Administrations. Section
302 of the DOE Organization Act (Public Law 95-91) directs the
Secretary to operate and maintain the power marketing
administrations by and through their Administrators. The
Administrators have statutory and public utility responsibilities
for the safety, security, and reliability of the systems operated
by their organizations. The Administrators shall review and
approve the security standards, policies, and activities
appropriate for their facilities and operations. Such
determination shall include consideration of the requirements set
forth by this Order.
h. Procurement Request Originators (the individuals responsible for
initiating a requirement on DOE F 4200.33, "Procurement Request
Authorization") or such other individual(s) as designated by the
cognizant Secretarial officer or Head of Field Element shall bring
to the attention of the cognizant contracting officer the
following: (1) each procurement requiring the application of this
Order, (2) requirements for flowdown of provisions of this Order
to any subcontract or subaward, and (3) identification of the
paragraphs or other portions of this Order with which the awardee,
or, if different, a subawardee, is to comply.
i. Contracting Officers, based on advice received from procurement
request originators or other designated individuals, shall apply
applicable provisions of this Order to awards falling within its
scope. For awards other than management and operating contracts,
this shall be by incorporation or reference using explicit
language in a contractual action, usually bilateral.
8. BASIC CRITERIA.
a. General.
(1) Safeguards and security acceptance and validation tests shall
be developed for each facility to validate functional
requirements and effectiveness of the safeguards and security
elements implemented and operating as part of a total system
and to assure continuing operation as a total system.
(2) Safeguards and security acceptance and validation tests shall
be conducted with the highest regard for the safety and
health of personnel, protection of the environment,
protection of Government property, and national security
interests with consideration to depict a level of realism for
the test to be representative of the capabilities of the
Design Basis Threat Policy issued by SA-1.
(3) The requirements contained in DOE Orders, Manuals, Site
Safeguards and Security Plans (SSSPs), safeguards and
security plans, and other guidance documents will be the
basis for designing and evaluating the tests, including
frequency of testing and acceptance criteria.
(4) Critical system elements shall be identified for each
relevant key program element set forth in DOE 5630.11A,
including Personnel Security, Protection Program Operation,
Nuclear Materials Control and Accountability, and Information
Security. Critical system elements may include safeguards
and security equipment, procedures, and/or people. These
elements shall be tested to verify their continued
functionability, operability, effectiveness and/or
performance.
(5) Validation testing of safeguards systems shall include
elements that can detect-in-time-to-prevent (e.g., portal
monitors and material surveillance procedures) and elements
that can effectively account for special nuclear material in
order to provide assurance that safeguards and security
systems are functioning properly (e.g., physical inventory).
Testing of some safeguards systems, such as the physical
inventory, does not necessarily require a specific stand
alone test, but instead a check and evaluation of accounting
records, measurements data, and procedures.
(6) Testing of elements which are not prone to failure and which
are not subject to compromise without noticeable tampering,
such as walls and fences, is not required.
(7) At least every 365 days, a performance test encompassing
critical system elements associated with a comprehensive site
or facility threat scenario shall be performed to demonstrate
overall facility safeguards and security system
effectiveness. Comprehensive threat scenarios shall be taken
from facility specific vulnerability assessments.
(8) At least every 365 days, after each inoperative or
ineffective state for safeguards and security equipment, and
after any equipment repairs, each critical system element
identified under paragraph 8a(4) and any other critical
system elements directly integrated/affected by such
equipment shall be tested through the conduct of
effectiveness tests. Effectiveness testing shall cover the
range of performance parameters required in the facility's
approved safeguards and security plan, and include the number
of tests specified in the safeguards and security acceptance
and validation test program plan and justified in safeguards
and security acceptance and validation test plans. These
tests shall be performed immediately after such repairs,
inoperative state, or ineffective state. The overall
safeguards and security program shall be considered in a
degraded mode until such testing has confirmed the
operability of all applicable performance parameters.
Compensatory measures may be required during such degraded
modes.
(9) Critical system elements shall be evaluated for continuing
operability through the conduct of operability tests.
b. Safeguards and Security Acceptance and Validation Test Program
Plan. A documented and formalized safeguards and security
acceptance and validation test program plan shall be developed for
each facility and shall be included as part of the approved
safeguards and security plan. The purposes of this program plan
are to document the process and to identify a comprehensive set of
tests and a frequency of testing which confirm the ability of an
implemented and operating, critical system element or total system
to meet requirements contained in DOE safeguards and security
Orders and Manuals. The plan shall include the following sections
as a minimum:
(1) Program Description. A description of the facility's
safeguards and security acceptance and validation testing
program shall be provided. Descriptive elements shall
include the development, implementation, revision and
recordkeeping of test plans and the preparation of required
reports.
(2) Program Administration. A description of organizations and
positions responsible for developing, implementing, and
maintaining test plans and submitting reports shall be
included in this section.
(3) Critical System Elements. The requirements basis consisting
of critical system elements to be confirmed through testing
shall be described and listed in this section.
(4) Test Documentation Requirements. A list of test plans and
test reports shall be included in this section, with a
reference to each requirement presented in the Critical
System Elements section.
(5) Corrective Action Requirements. Corrective actions to be
taken for failures of safeguards and security elements to
pass test criteria specified as a requirements basis shall be
described in this section.
(6) Resources. Specialized personnel, equipment, and facilities
required for development, implementation, revision, and
archival of the test program shall be identified and
described in this section.
(7) References. A list of pertinent requirements basis
documents, standards, procedures, and reports shall be
included in this section.
c. Safeguards and Security Validation Test Plan. Written test
plan(s) shall be developed for each facility to validate
safeguards and security systems and critical elements. The plan
shall include the following sections as a minimum:
(1) Test Objectives. Identify and describe the test objectives.
(2) Scenario Description(s). Describe the threat scenarios
evaluated by the validation tests. The scenarios may be
restricted to specific, limited aspects of the safeguards and
security system - e.g., weapons detection at a Protected Area
entry point, or many elements of a total system, e.g., a
Force on Force exercise.
(3) Test Methodology and Evaluation Criteria. State how the
validation test will be conducted. List the steps involved
in the process of planning and execution. Include a
description of any statistical models or mathematical
formulas used to determine probabilities and confidence
levels, the number of tests to be performed under each
scenario to be tested, and pass/fail criteria. Also, models,
equations, or methods to be used for data analysis shall be
presented and discussed in detail. For tests validating
effectiveness of equipment, provisions for recording
calibration settings and equipment configurations shall be
described.
(4) Test Controls. Identify those controls to be imposed to
maintain the integrity of the test, yet minimize safety and
security risks. Controls apply to people, procedures, and
equipment characteristics - e.g., use of trusted agents,
providing minimum notice of test, controlling lighting
levels, or testing equipment under specific temperature and
humidity environmental conditions.
(5) Resource Requirements. List resources that are needed to
effectively conduct the test, including facilities,
personnel, and equipment.
(6) Test Coordination Requirements. Identify operational and
support elements - such as, facility operations, safety,
quality assurance, and safeguards and security management,
where coordination is necessary.
(7) Operational Impact(s) of Testing Program. Describe the
operational impacts, if any, that will result from conducting
the test - e.g., facility production rates and overtime
costs.
(8) Compensatory Measures (if necessary). Identify measures that
are necessary to compensate for any degradation of safeguards
and security readiness experienced while conducting the
validation test. Also, identify measures to be implemented
in the event of test failures. Reference to existing,
approved procedures for compensatory measures is acceptable.
(9) Coordination and Approval Process. Describe the approval and
signoff process for test records and reports, including
provision for witness initials, dates of data collection, and
use of compensatory measures.
(10) References. Applicable DOE Orders and Manuals, SSSPs,
Safeguards and Security plans, and other DOE policy related
documents containing requirements for the element or system
being validated shall be included in a list of references.
Also, any other reference material used in analysis,
calculations, or discussion in this test plan or the
associated test report shall be included in this list. For
each reference, applicable sections and/or paragraph numbers
shall be included.
d. Safeguards and Security Acceptance and Validation Test Reports.
Test results shall be documented in test reports, which shall
include the following sections as a minimum:
(1) Objectives. A restatement of test objectives from the
associated test plan shall be included to permit a basic
understanding of the data collected and significance of the
conclusions and recommendations.
(2) Test Data. Recorded test data shall be provided, including
test forms and data sheets with original signoffs and
handwritten notes. Test data, signoffs, and dates beside
each signoff shall be recorded in pen and ink.
(3) Data Analysis. Analysis of the test data shall be
documented, using models, equations, or methodology presented
in the associated test plan.
(4) Test Results and Recommendations. A statement of success or
failure according to evaluation criteria provided in the test
plan shall be included. Also, any unusual observations
related to the area tested, but not otherwise addressed in
the associated test plan, shall be discussed.
Recommendations shall be included for any variations from
expected test results.
(5) Corrective Actions. Corrective actions recommended for
safeguards and security measures failing to meet requirements
shall be listed and discussed. The persons, organizations,
or groups responsible for the corrective actions should be
identified. Both immediate and longer range solutions will
be discussed.
(6) References. The related test plan and other pertinent
references included in the test plan shall be listed.
e. Test Documentation Retention. Safeguards and security acceptance
and validation test program plans, safeguards and security
acceptance and validation test plans, and safeguards and security
acceptance and validation test reports shall be maintained as
follows:
(1) Recordkeeping systems shall be capable of providing an audit
trail which clearly shows the relationship between all test
data and test documentation.
(2) Test documentation shall be retained according to DOE
1324.2A, RECORDS DISPOSITION, or as provided by law or
contract.
f. Unsatisfactory Results. Unsatisfactory results are determined
from criteria specified in a safeguards and security validation
test plan. The possibility of unpredictable test results which
may not be categorized as pass or fail is recognized and addressed
in the Test Results and Recommendations section of the safeguards
and security acceptance and validation test report.
Unsatisfactory results of a test may be cause to alter or suspend
program operations protected by inadequate safeguards and security
measures, if national security and/or the health and safety of
facility employees or the public is jeopardized.
(1) A decision to suspend operations is the responsibility of the
cognizant Head of Field Element or the cognizant Secretarial
Officer.
(2) The significance of the programmatic impact that would occur,
compensatory measures which have been, or can be,
implemented, previous test results, other inspection
findings, and potential as well as the immediacy of the risk
to national security and the health and safety of the
employees or the public will be the basis for a decision to
suspend operations.
9. IMPLEMENTATION SCHEDULE. Plans for full implementation of the
requirements of DOE 5630.16 were required to be approved by Heads of
Field Elements not later than 4-16-93. Plans shall be based on the
status of existing compliance with this Order and shall include the
timeframe for incremental and full implementation of those requirements
not currently met. Copies of approved plans shall be submitted to the
cognizant Secretarial Officer and SA-10.
10. ASSISTANCE. Questions concerning this Order should be directed to
Chief, Physical Security Branch, Telephone 301-903-4244.
BY ORDER OF THE SECRETARY OF ENERGY:
LINDA G. SYE
Acting Director of Administration
and Management
REFERENCES
1. DOE 1324.2A, RECORDS DISPOSITION, of 9-13-88, which provides standards
for the orderly disposition of records.
2. DOE 1360.2B, UNCLASSIFIED COMPUTER SECURITY PROGRAM, of 5-18-92, which
establishes requirements, policies, and responsibilities for
developing, implementing, and sustaining a DOE unclassified computer
security program.
3. DOE 5000.3B, OCCURRENCE REPORTING AND PROCESSING OF OPERATIONS
INFORMATION, of 1-19-93, which establishes a system for reporting of
operations information related to DOE-owned or operated facilities and
processing of that information to provide for appropriate corrective
action.
4. DOE 5300.2D, TELECOMMUNICATIONS: EMISSION SECURITY (TEMPEST), of
5-18-92, which establishes emission security (TEMPEST) policy and
program for automated information and telecommunications information
processing equipment pursuant to national program requirements.
5. DOE 5300.3C, TELECOMMUNICATIONS: COMMUNICATIONS SECURITY, of 5-18-92,
which establishes policy, responsibilities, and guidance concerning the
communications security (COMSEC) aspects of the telecommunications
services of the Department, and implements national policy on
telecommunications and automated information systems security.
6. DOE 5480.16, FIREARMS SAFETY, of 1-12-88, which provides standards and
procedures for the safe use of firearms.
7. DOE 5480.19, CONDUCT OF OPERATIONS REQUIREMENTS FOR DOE FACILITIES, of
7-9-90, which provides operational Departmental policy for use in
developing orders, plans, and/or procedures related to the conduct of
operations and facilities.
8. DOE 5630.11A, SAFEGUARDS AND SECURITY PROGRAM, of 12-7-92, which serves
as the general policy document for the DOE Safeguards and Security
Program, and contains applicable references.
9. DOE 5630.12A, SAFEGUARDS AND SECURITY INSPECTION AND EVALUATION
PROGRAM, of 6-23-92, which serves as the general policy document for
the DOE Safeguards and Security Inspection and Evaluation Program, and
contains applicable references.
10. DOE 5630.13A, MASTER SAFEGUARDS AND SECURITY AGREEMENTS, of 6-8-92,
which establishes Departmental policy for developing master safeguards
and security agreements.
11. DOE 5630.14A, SAFEGUARDS AND SECURITY PROGRAM PLANNING, of 6-9-92,
which establishes a standardized approach to protection program
planning, and prescribes DOE policy, objectives, responsibilities and
authorities for the planning process.
12. DOE 5632.1B, PROTECTION PROGRAM OPERATIONS, of 9-8-92, which
establishes policy, responsibilities, and authorities for the physical
protection of security interests, and contains applicable references
and definitions.
13. DOE 5632.2A, PHYSICAL PROTECTION OF SPECIAL NUCLEAR MATERIAL AND VITAL
EQUIPMENT, of 2-9-88, which establishes Departmental policy for the
physical protection of special nuclear materials.
14. DOE 5632.5, PHYSICAL PROTECTION OF CLASSIFIED MATTER, of 2-3-88, which
establishes Departmental policy for the physical protection of
classified matter.
15. DOE 5632.6, PHYSICAL PROTECTION OF DOE PROPERTY AND UNCLASSIFIED
FACILITIES, of 2-9-88, which establishes Departmental policy for the
physical protection of DOE property and unclassified facilities.
16. DOE 5632.7, PROTECTIVE FORCES, of 2-9-88, which prescribes Departmental
policy for the management, operation, and training of protective forces
responsible for protecting security interests at DOE facilities.
17. DOE 5632.8, PROTECTION PROGRAM OPERATIONS: SYSTEM PERFORMANCE TESTS,
of 2-4-88, which establishes requirements for the evaluation of
protection system capabilities.
18. DOE 5633.3A, CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, of
2-12-93, which prescribes Departmental policies and responsibilities
for control and accountability of nuclear materials.
19. DOE 5634.1B, FACILITY APPROVALS, SECURITY SURVEYS, AND NUCLEAR
MATERIALS SURVEYS, of 9-15-92, which establishes requirements for
granting, maintaining and terminating facility activity approvals and
conducting onsite inspections of facilities with safeguards and
security activities.
20. DOE 5639.8, SECURITY OF FOREIGN INTELLIGENCE INFORMATION AND SENSITIVE
COMPARTMENTED INFORMATION FACILITIES, of 9-15-92, which establishes
responsibilities and authorities for the protection of Foreign
Intelligence Information and Sensitive Compartmented Information
Facilities within DOE.
21. DOE 5650.2B, IDENTIFICATION OF CLASSIFIED INFORMATION, of 12-31-91,
which prescribes Departmental policies for classification of
information.
22. DOE 5650.3A, IDENTIFICATION OF UNCLASSIFIED CONTROLLED NUCLEAR
INFORMATION, of 6-8-92, which prescribes Departmental policies for
designation of unclassified controlled nuclear information.
23. DOE 5700.6C, QUALITY ASSURANCE, of 8-21-91, which provides standards
and procedures for quality assurance.
24. DOE 6430.1A, GENERAL DESIGN CRITERIA, of 4-6-89, which provides design
criteria for use in the acquisition of the Department's facilities.
25. Title 48, Federal Acquisition Regulations System, Chapter 1, Federal
Acquisition Regulation, Part 46, "Quality Assurance," which provides
criteria for addressing acceptance testing elements in procurement
specifications.
26. Federal Environmental Inspections Handbook, of 10-91, by the Department
of Energy, Office of Environmental Guidance (EH-231), which provides
environmental considerations in testing.
DEFINITIONS
1. COVERED CONTRACTOR. A covered contractor is a seller of supplies or
services involving access to and protection of classified matter,
nuclear materials, or other safeguards and security interests under a
procurement contract or subcontract.
2. CRITICAL SYSTEM ELEMENT. A component of a larger system which directly
affects the ability of that system to perform a required function.
Critical system elements may include safeguards and security equipment,
procedures, and/or people.
3. EFFECTIVENESS TEST. A test to confirm that a critical system element
is operating as required and can effectively perform a specified
function. For example, in a balanced magnetic switch, an effectiveness
test for intrusion detection would confirm that a 1 inch or more
separation of the switch mounted on the door frame from the magnet
mounted on the door resulted in an alarm.
4. FACILITY. An educational institution, manufacturing plant, laboratory,
office building, or complex of buildings located on the same site that
is operated and protected as one unit by the Department or its
contractor(s).
5. OPERABILITY TEST. A test to confirm that a critical system element or
total system is operating. For a balanced magnetic switch, an
operability test would confirm that opening the door for entry or exit
resulted in an alarm.
6. PERFORMANCE TEST. A test to confirm the ability of an implemented and
operating, critical system element or total system to meet an
established requirement of protection against an adversary.
7. VALIDATION. The confirmation by testing that an implemented,
operational system or critical system element meets established
requirements.